US11558405B2 - Real-time prevention of malicious content via dynamic analysis - Google Patents

Real-time prevention of malicious content via dynamic analysis Download PDF

Info

Publication number
US11558405B2
US11558405B2 US17/128,639 US202017128639A US11558405B2 US 11558405 B2 US11558405 B2 US 11558405B2 US 202017128639 A US202017128639 A US 202017128639A US 11558405 B2 US11558405 B2 US 11558405B2
Authority
US
United States
Prior art keywords
data
action
received
computer
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US17/128,639
Other versions
US20210185062A1 (en
Inventor
Senthil Cheetancheri
Alex Dubrovsky
Sachin Holagi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SonicWall LLC
Original Assignee
SonicWall LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SonicWall LLC filed Critical SonicWall LLC
Priority to US17/128,639 priority Critical patent/US11558405B2/en
Assigned to SONICWALL INC. reassignment SONICWALL INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHEETANCHERI, Senthil, DUBROVSKY, ALEX, HOLAGI, Sachin
Publication of US20210185062A1 publication Critical patent/US20210185062A1/en
Priority to US17/949,796 priority patent/US20230020421A1/en
Application granted granted Critical
Publication of US11558405B2 publication Critical patent/US11558405B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • the present invention generally relates to identifying whether data transmitted between different computer systems includes malicious content. More specifically, the present invention relates to identifying whether malware is included in one or more data packets transmitted from a first computer to a second computer.
  • malware can be any software program that includes code that executes without the knowledge or authorization of an owner or user of a computing device.
  • Malware are typically distributed by parties with nefarious intent. Malware is commonly used steal or destroy computer data or to snoop or spy the actions of a user when the user operates a computer. Malware is also frequently used to damage a computer or to damage computer data. For example malware may be used to steal personal or financial information, blackmail computer users by denying access to their own data unless or until a fee is paid, or to damage infected computers by damaging data stored on those infected computers.
  • malware is increasingly difficult to identify. Frequently, until a particular sort of malware has been identified and characterized, conventional techniques that identify whether a communication includes malware can miss detecting the presence of that malware in the communication. This may occur when information in one or more received data packets is hidden or when the malware is not identifiable by a signature associated with the information in the received data packets.
  • DPI deep packet inspection
  • a method consistent with the present disclosure may include receiving a plurality of data packets sent from a source computer to a destination computer, where each of those data packets sent from the source computer to the destination computer are then sent to the destination computer except for at least one packet. After those data packets are received, instructions associated with the plurality of data packets may be executed while actions associated with those instructions are observed. The observation of the execution of the instructions may identify an action performed by the executed instructions is an unauthorized action, and an identification that the plurality of data packets includes malware may be made when action performed is the unauthorized action.
  • This method may also include not sending at least one data packet the destination computer when the malware is identified as being included in the plurality of data packets, thereby preventing the destination computer from receiving the malware in a functional state.
  • a processor executing instructions out of a memory may also receive a plurality of data packets sent from a source computer to a destination computer, where each of those data packets sent from the source computer to the destination computer are then sent to the destination computer except for at least one packet.
  • instructions associated with the plurality of data packets may be executed while actions associated with those instructions are observed.
  • the observation of the execution of the instructions may identify an action performed by the executed instructions is an unauthorized action, and an identification that the plurality of data packets includes malware may be made when action performed is the unauthorized action.
  • This method may also include not sending at least one data packet the destination computer when the malware is identified as being included in the plurality of data packets, thereby preventing the destination computer from receiving the malware in a functional state.
  • An apparatus of the presently claimed invention may include an analysis computer that receives a plurality of data packets sent from a source computer to a destination computer, the analysis computer including a memory, a processor executing instructions out of the memory, and a network interface that receives a plurality of data packets sent from a source computer to a destination computer, where each of those data packets sent from the source computer to the destination computer are then sent to the destination computer except for at least one packet.
  • instructions associated with the plurality of data packets may be executed while actions associated with those instructions are observed.
  • the observation of the execution of the instructions may identify an action performed by the executed instructions is an unauthorized action, and an identification that the plurality of data packets includes malware may be made when action performed is the unauthorized action.
  • This method may also include not sending at least one data packet the destination computer when the malware is identified as being included in the plurality of data packets, thereby preventing the destination computer from receiving the malware in a functional state.
  • FIG. 1 illustrates a flow diagram consistent with the present disclosure where data included in downloaded data packets are received and analyzed for the presence of malware.
  • FIG. 2 illustrates an exemplary set of steps that may be performed when a set of data packets are received by a computing device.
  • FIG. 3 illustrates a set of steps that may be performed when data packets associated with a set of data packets are received.
  • FIG. 4 illustrates an exemplary set of program steps that may be performed when data packets associated with a set of data packets are analyzed by a computing device.
  • FIG. 5 illustrates a firewall communicating with an analysis computer when data packets sent from a source computer are received by and sent from the firewall.
  • FIG. 6 illustrates a computing system that may be used to implement an embodiment of the present invention.
  • This disclosure is related to methods and apparatus used to for preventing malicious content from reaching a destination via a dynamic analysis engine may operate in real-time when packetized data is received.
  • Data packets sent from a source computer to a destination computer may be initially received by a firewall and be forwarded to an analysis computer.
  • the analysis computer may then monitor actions performed by executable program code included within the set of data packets when making determinations regarding whether the data packet set should be classified as malware. In certain instances all but a last data packet of the data packet set may also be sent to the destination computer while the analysis computer executes and monitors the program code included in the data packet set.
  • the firewall By receiving performing operations on those data packets, such as forwarding those data packets to the analysis computer or not sending the last data packet to the destination computer, the firewall performs the function of “intercepting” data packets as it receives those data packets.
  • the dynamic analysis may be performed in real-time or near real-time, thereby optimizing the efficiency of malware threat detection while optimizing network bandwidth.
  • a dedicated analysis engine may enable the performance of a firewall to be improved as wall.
  • the malware may be blocked from reaching the destination computer by not sending the last data packet to the destination computer.
  • the methods and apparatus described herein may also prepare data included in a set or stream of data packets for evaluations that may identify whether the malware is included in the data packet set.
  • the computing device may prepare data included in the data packets for evaluation after which the computing device may analyze data included in the data packet set to see if that data includes malware.
  • the preparation of the data in the data packets for evaluation may include de-obfuscating the data included in the data packets, where the de-obfuscation may include decrypting or reordering/resequencing data included in the data packets.
  • data packets are encrypted, data included in those data packets may by decrypted using decryption algorithm associated with a secure transfer session. In certain instances, a portion of the data included in the data packet set may be decrypted.
  • the decryption may include XORing at least a portion of the data included in the data packet set with other data or with other data included in the data packet set.
  • decryption according to standard secure methods for delivering packages may be considers authorized functions, where unexpected decryptions may be associated with an unauthorized function.
  • the XORing of data in a packet set may be cause a data packet set to be classified as malware.
  • An Example of reordering/resequencing received data includes reorganizing received data according to an interleaving process that reshuffles. Such a process is similar to shuffling a deck of cards where each card is equivalent to one or more data bits/bytes.
  • data from different portions of a packet or from different packets may be reorganized forming an executable data set that may include malware.
  • code included in one or more packets may include instructions for reordering data included in the data set after it is received. The execution of those instructions may generate malicious code from data that has intentionally been obfuscated to prevent a deep packet inspection engine from detecting malware hidden within the data packet set.
  • the analysis of the data in the data packets may include executing program code included in the data packets and monitoring the execution of that program code when watching for unauthorized or suspicious actions performed by the program code.
  • Unauthorized actions include, yet are not limited to writing to a boot block, updating a system registry, making changes to the file system, deleting computer data, copying data, transmitting data to another computer, or intercepting calls to a set of basic input/output instructions (BIOS) of a computer executing that program code.
  • BIOS basic input/output instructions
  • the intercepting of BIOS calls by the program code may be identified by observing program code replacing an original BIOS related command with another command or by observing that program code modifying parameters that were included in the original BIOS related command before the original BIOS command can be executed.
  • the analysis function may execute program code for the destination computer using a “Sandboxing” technique, thus allowing the program code to be evaluated for malware in a secure environment.
  • methods and apparatus consistent with the present disclosure may combine “Sandboxing” with deep packet inspection (DPI).
  • DPI deep packet inspection
  • Sandboxing and DPI may be performed in parallel, thus detecting malware that has not been previously identified may be identified by a “Sandboxing” technique or detecting malware that has been previously identified may be identified via matching DPI techniques.
  • the analysis of data included in the data packet set may also observer the execution of program code and identify that the executed program code performs a function relating to organizing further instructions for execution from data included in the plurality of data packets. Once observed, this analysis may then classify this reorganization of data as an unauthorized action after which the data packet set may be blocked. As such, content included in a data set may be classified as malware based on how or what functions program code within that data set are performed.
  • Determinations relating to the identification of malware may also be based on a set of rules that identify what program behaviors are authorized or that are unauthorized. For example, a rule may be used to classify data within a data packet set as malware whenever data within that data set is reorganized/reshuffled or when data within that data set is manipulated or de-obfuscated by an XOR function. Alternatively another rule may indicated that the decryption of packet data is acceptable as long as it is performed in a manner consistent with a standard or expected type of decryption (such as decryption associated with a TCP communication). This other rule may also indicate that further analysis of program data is required after the decryption has been performed.
  • methods consistent with the present disclosure may include continuing the analysis of program code included in a data packet set with the intent of identifying whether that program code performs malicious actions and what malicious acts it does perform.
  • signatures may be generated from the reorganized data for later use by a deep packet inspection (DPI) engine, for example.
  • DPI deep packet inspection
  • FIG. 1 illustrates a flow diagram consistent with the present disclosure where data included in downloaded data packets are received and analyzed for the presence of malware.
  • Step 105 of FIG. 1 receives a packet associated with a set of packets. After the packet of the packet set is received in step 105 , step 110 of FIG. 1 identifies whether the received packet is a last packet of the data set, when no program flow flows to step 115 where the received packet is sent to a destination and to a computing device. At the point in time when the received packet is sent to the destination and to the computing device, no determination has been made as to whether the packet set includes malware.
  • the computing device may be a computer in the Cloud that is accessible via the Internet and the computing device may perform a service of identifying whether received data packet sets include malware. These services may be provided for subscribed users.
  • the computing device may reside in a corporate network or be part of a computer network associated with a user computer that is a destination associated with a set of data packets.
  • a computer that initially receives data packets may also be the computing device that performs operations relating to identifying whether received data packets include malware. In other instances more than one computer may perform these functions, for example a firewall could receive data packets and send them to another computer for analysis.
  • step 120 operations are performed with the received packet at the computing device.
  • Operations performed at the computing device may include de-obfuscating information in the data packet, may include resequencing the order of received data, or may include any operation that renders or transforms received information associated with the received set of packets into a form executable by a processor.
  • operations performed in step 120 may be related to decryption of data included in received packets, executing sets of instructions that re-sorts the order of instructions included in the received packets, and/or executing instructions included in the received data packets.
  • step 125 of FIG. 1 identifies whether malware has been detected/identified in the packet set.
  • step 125 identifies that the data packet set includes malware
  • program flow moves to step 130 where a corrective action may be performed.
  • This corrective action may include dropping a connection associated with the received packets, stopping the receipt of data packets, or stopping the re-transmission of packets associated with the packet set.
  • Corrective actions may also include storing information that helps characterize or identify that a source of the packets is not a reputable source of data packets.
  • Another corrective action may relate to storing signatures or other identifying attributes associated with the received data packets, such that these signatures or identifying attributes may be used to more rapidly identify the malware when subsequently received.
  • the methods and apparatus consistent with the present disclosure may combine “Sandboxing,” where instructions included in a data packet set are executed at the computing device, with deep packet inspection (DPI) that identifies patterns or signatures that have been previously identified as being malicious.
  • DPI deep packet inspection
  • step 125 is performed after step 120 .
  • program flow may flow from step 120 back to step 105 without performing step 125 .
  • program flow moves from step 125 to step 105 where additional data packets may be received.
  • the last data packet may be sent to the computing device in step 135 of FIG. 1 .
  • steps 140 of FIG. 1 operations may be performed with data included in the last packet and operations associated may be performed after the data packet set is received in its entirety.
  • the operations included in step 140 may include some or all of the operations discussed in respect to step 120 of FIG. 1 .
  • the last packet received may not be a packet that is truly the last packet of a packet set, yet may be a last received packet of the packet set.
  • step 145 identifies whether malware is detected in the packet set.
  • program flow moves to step 130 where one or more corrective actions may be performed.
  • corrective actions may include dropping a connection associated with the received packets, stopping the receipt of data packets, stopping the re-transmission of packets associated with the packet set, storing information that helps characterize or identify that a source of the packets is not a reputable source of data packets, and/or storing signatures or other identifying attributes associated with the received data packets.
  • signatures or identifying attributes may be used to more rapidly identify the malware when subsequently encountered.
  • program flow may move from step 145 to step 150 of FIG. 1 , where the last packet is sent to the destination.
  • FIG. 2 illustrates an exemplary set of steps that may be performed when a set of data packets are received by a computing device.
  • all by a last data packet of the data packet set may be sent to the destination computer while another computer evaluates data included in the data packet set for malware.
  • the not transmitting of the last data packet to the destination computer in step 210 of FIG. 2 may cause the computer that sent to data packet set to identify that the last data packet was “dropped” or “lost” in transmission.
  • step 220 of FIG. 2 identifies whether a determination has been made relating to whether the data packet set includes malware.
  • program flow may move from step 220 to step 270 the last data packet may be dropped, then program flow moves to step 280 where a retransmission of the last data packet is received.
  • the retransmission of the last data packet may have been performed by the computer that originally sent the data packet set based on that sending computer not receiving an acknowledgement indicating that the last data packet was received at the destination computer.
  • Such retransmissions are a part of the standard operation of packetized data transfer of computer data, for example, communications sent via the transmission control protocol (TCP) will be retransmitted from a sending computer when the sending computer does not receive an acknowledgment indicating that a particular data packet was received by a destination computer.
  • TCP transmission control protocol
  • step 270 program flow moves back to step 210 where the last data packet is dropped again.
  • Program flow may move from step 210 , to step 220 , to step 270 , and back to step 210 repetitively until a determination has been made in step 220 .
  • step 240 may identify whether malware has been detected in the data packet set.
  • program flow may move from step 240 to step 250 of FIG. 2 , where a corrective action is performed.
  • the corrective action performed may correspond to one or more of the corrective actions discussed in respect to FIG. 1 above.
  • step 240 When step 240 indicates that malware is not detected in the set of data packets, program flow moves from step 240 to step 260 where the last data packet is sent to the destination.
  • FIG. 3 illustrates a set of steps that may be performed when data packets associated with a set of data packets are received.
  • Step 310 is a step where data included in one or more data packets of the data packet set are de-obfuscated. This de-obfuscation operation may include one or more steps, including, yet not limited to decrypting data in the received data packets or resequencing data in the data packets.
  • step 320 may execute one or more instructions included in or associated with the received set of data packets.
  • Step 330 of FIG. 3 is a step where actions performed when the instructions are executed are observed.
  • step 340 identifies whether any unauthorized action is performed by the executable code when it executes.
  • Unauthorized actions are actions where program code included in a set of data packets accesses or send information that is considered inappropriate. Unauthorized action may also include writes to one or more data storage locations that are considered sensitive. Examples of unauthorized actions include, yet are not limited to accessing or transmitting data: such as registry data, passwords, user account information, WEB browsing historical information, file system data, and or financial information.
  • unauthorized action include writing to a computer registry, writing to the boot block of a data storage device, such as writing to Logical Block Address zero (LBA 0) of a disk drive, writing to a data storage location where program data is stored, and/or the operation of code that prevents the normal operation or booting of a computer system.
  • LBA 0 Logical Block Address zero
  • Such unauthorized actions can significantly affect the performance of a destination computer or can render the computer system unusable by a user. For example, overwriting LBA 0 of a disk drive can prevent the booting of a computer system because LBA 0 is typically used to store data that is required for that computer to boot (startup and initialize).
  • step 340 When an unauthorized action is identified in step 340 , program flow may move from step 340 to step 350 of FIG. 3 .
  • corrective actions performed may include any of the corrective actions discussed in respect to FIG. 1 .
  • program flow may move to step 360 that determines whether the execution of the instructions included in the set of data packets has completed, when no program flow moves from step 360 back to step 320 where the execution of the instructions included in the data packet set are continued.
  • step 360 identifies that the instructions included in the data packet set have completed
  • program flow moves to step 370 where the last packet associated with the data packet set is sent to the destination.
  • FIG. 4 illustrates an exemplary set of program steps that may be performed when data packets associated with a set of data packets are analyzed by a computing device. These data packets may be analyzed after a user request to access a webpage universal resource locator (URL) or to download a file has been received from a destination computer.
  • Step 410 of FIG. 4 is a step where identification that the destination computer has attempted to download a set of data packets is made. This identification may be made immediately as the destination computer attempts to download the data packet set.
  • step 420 of FIG. 4 is where the set of data packets is analyzed for the presence of Malware.
  • a determination as to whether the malware analysis of the set of data packets has completed may be performed in step 430 of FIG. 4 .
  • program flow moves to step 440 where the analysis of the data packet set is continued, after which program flow moves back to step 430 of FIG. 4 .
  • a message (not illustrated) may be sent to the destination computer for presentation to a user.
  • the message may indicate that a background process associated with analyzing the set of data packets is being performed to determine whether those data packets include malware or whether they are benign (appear to be free of malware).
  • This message may also inform the user that data related to the attempted download will be provided to the destination computer if the analysis indicates that the download does not include malware.
  • step 440 identifies that the malware analysis has completed
  • program flow moves to step 450 that identifies whether malware has been detected in the packet set.
  • program flow moves to step 460 where a corrective action is performed.
  • This corrective action may include blocking the download (not sending a last or remaining packet to the destination device) and may also include sending a message to the destination computer to inform the user that malware has been detected in the download data.
  • one or more data packets may be allowed to be sent to the destination computer, such that the destination computer receives the requested downloadable data.
  • the steps of FIG. 4 may be performed by one or more computing devices that analyze the content of data packets as a background task that the user does not have to actively manage. Even when the analysis of the receive data packets takes a significant amount of time, the user of the destination computer will be free to perform other tasks while malware analysis is being performed.
  • the method of FIG. 4 may prevent a user from attempting to download a specific file, data set, or webpage repetitively.
  • a user does repetitively attempt to download the same file while an analysis is being performed, they may be provided a message that indicates that a “verdict” relating to whether the download includes malware is still “pending.”
  • Repetitive requests may be intercepted by a computer, such as a firewall, and not be sent to the source computer from which the download has been requested, thus preventing the source computer from receiving repetitive requests and saving network bandwidth at a home network that might otherwise be consumed performing unnecessary repetitive data transfers related to the repetitive requests.
  • One or more computers implementing the functionality of FIG. 4 may perform functions associated with receiving a data set, analyzing that data set, managing the delivery of the data set to a destination computer, or may perform a repetitive download of that data set only as required, without the user of the destination computer attempting to repetitively download the data set.
  • receiving and transmission of data packets of the present disclosure may be performed by a firewall and while the analysis of data contained within those data packets and “Sandboxing” may be performed by an analysis computer, these actions may alternatively be performed by a single computer.
  • FIG. 5 illustrates a firewall communicating with an analysis computer when data packets sent from a source computer are received by and sent from the firewall.
  • FIG. 5 includes a source computer 510 , a firewall 530 , an analysis computer 550 , and a destination computer 570 .
  • FIG. 5 also includes communications 520 sent to/from the destination computer 570 via firewall 530 , communications 560 sent to/from the destination computer 570 , and communications 550 sent between the firewall 530 and the analysis computer 550 .
  • communications 520 may be transmitted over a computer network such as the Internet, that communications 560 may be sent over computer network interfaces at the firewall 530 and at the destination computer 560 , and that communications 540 may be sent between the firewall and the analysis computer via computer network interfaces at the firewall 530 and the analysis computer 550 .
  • any of the computer networks over which communications 520 , 540 , and 560 are sent may include wired or wireless network interfaces.
  • Analysis computer 550 may also be remote from firewall 530 and analysis computer 550 may reside in the Cloud.
  • Network interfaces associated with the present disclosure may include any form of wired or wireless network interface known in the art.
  • firewall 530 and analysis computer 550 may perform functions consistent with receiving packets, providing messages, or analyzing computer data sent from source computer 510 when identifying whether the requested downloaded data includes malicious content.
  • fire wall 530 and analysis computer 550 may perform functions consistent with the present disclosure, including those functions described in respect to FIGS. 1 - 4 .
  • FIG. 6 illustrates a computing system that may be used to implement an embodiment of the present invention.
  • the computing system 600 of FIG. 6 includes one or more processors 610 and main memory 620 .
  • Main memory 620 stores, in part, instructions and data for execution by processor 610 .
  • Main memory 620 can store the executable code when in operation.
  • the system 600 of FIG. 6 further includes a mass storage device 630 , portable storage medium drive(s) 640 , output devices 650 , user input devices 660 , a graphics display 670 , peripheral devices 680 , and network interface 695 .
  • processor unit 610 and main memory 620 may be connected via a local microprocessor bus, and the mass storage device 630 , peripheral device(s) 680 , portable storage device 640 , and display system 670 may be connected via one or more input/output (I/O) buses.
  • I/O input/output
  • Mass storage device 630 which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 610 . Mass storage device 630 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 620 .
  • Portable storage device 640 operates in conjunction with a portable non-volatile storage medium, such as a FLASH memory, compact disk or Digital video disc, to input and output data and code to and from the computer system 600 of FIG. 6 .
  • a portable non-volatile storage medium such as a FLASH memory, compact disk or Digital video disc
  • the system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 600 via the portable storage device 640 .
  • Input devices 660 provide a portion of a user interface.
  • Input devices 660 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys.
  • the system 600 as shown in FIG. 6 includes output devices 650 . Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
  • Display system 670 may include a liquid crystal display (LCD), a plasma display, an organic light-emitting diode (OLED) display, an electronic ink display, a projector-based display, a holographic display, or another suitable display device.
  • Display system 670 receives textual and graphical information, and processes the information for output to the display device.
  • the display system 670 may include multiple-touch touchscreen input capabilities, such as capacitive touch detection, resistive touch detection, surface acoustic wave touch detection, or infrared touch detection. Such touchscreen input capabilities may or may not allow for variable pressure or force detection.
  • Peripherals 680 may include any type of computer support device to add additional functionality to the computer system.
  • peripheral device(s) 680 may include a modem or a router.
  • Network interface 595 may include any form of computer interface of a computer, whether that be a wired network or a wireless interface. As such, network interface 595 may be an Ethernet network interface, a BlueToothTM wireless interface, an 802.11 interface, or a cellular phone interface.
  • the components contained in the computer system 600 of FIG. 6 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art.
  • the computer system 600 of FIG. 6 can be a personal computer, a hand held computing device, a telephone (“smart” or otherwise), a mobile computing device, a workstation, a server (on a server rack or otherwise), a minicomputer, a mainframe computer, a tablet computing device, a wearable device (such as a watch, a ring, a pair of glasses, or another type of jewelry/clothing/accessory), a video game console (portable or otherwise), an e-book reader, a media player device (portable or otherwise), a vehicle-based computer, some combination thereof, or any other computing device.
  • the computer can also include different bus configurations, networked platforms, multi-processor platforms, etc.
  • the computer system 600 may in some cases be a virtual computer system executed by another computer system.
  • Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, Android, iOS, and other suitable operating systems.
  • Non-transitory computer-readable storage media refer to any medium or media that participate in providing instructions to a central processing unit (CPU) for execution. Such media can take many forms, including, but not limited to, non-volatile and volatile media such as optical or magnetic disks and dynamic memory, respectively. Common forms of non-transitory computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, magnetic tape, any other magnetic medium, a CD-ROM disk, digital video disk (DVD), any other optical medium, RAM, PROM, EPROM, a FLASHEPROM, and any other memory chip or cartridge.
  • Non-transitory computer-readable storage media refer to any medium or media that participate in providing instructions to a central processing unit (CPU) for execution. Such media can take many forms, including, but not limited to, non-volatile and volatile media such as optical or magnetic disks and dynamic memory, respectively. Common forms of non-transitory computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, magnetic tape, any other magnetic medium, a CD-ROM disk, digital video disk (DVD), any other optical medium, RAM, PROM, EPROM, a FLASHEPROM, and any other memory chip or cartridge.

Abstract

This disclosure is related to methods and apparatus used to for preventing malicious content from reaching a destination via a dynamic analysis engine may operate in real-time when packetized data is received. Data packets sent from a source computer may be received and be forwarded to an analysis computer that may monitor actions performed by executable program code included within the set of data packets when making determinations regarding whether the data packet set should be classified as malware. In certain instances all but a last data packet of the data packet set may also be sent to the destination computer while the analysis computer executes and monitors the program code included in the data packet set. In instances when the analysis computer identifies that the data packet set does include malware, the malware may be blocked from reaching the destination computer by not sending the last data packet to the destination computer.

Description

CROSS REFERENCE TO RELATED APPLICATIONS
This application is a continuation and claims the priority benefit of U.S. patent application Ser. No. 15/671,445 filed Aug. 8, 2017, now U.S. Pat. No. 10,873,589, the disclosure of which is incorporated herein by reference.
BACKGROUND OF THE INVENTION Field of Invention
The present invention generally relates to identifying whether data transmitted between different computer systems includes malicious content. More specifically, the present invention relates to identifying whether malware is included in one or more data packets transmitted from a first computer to a second computer.
Description of the Related Art
One of the greatest threats to privacy and to secure computer data are various sorts of computer malware, such as computer viruses or eavesdropping software. Generally malware can be any software program that includes code that executes without the knowledge or authorization of an owner or user of a computing device.
Malware are typically distributed by parties with nefarious intent. Malware is commonly used steal or destroy computer data or to snoop or spy the actions of a user when the user operates a computer. Malware is also frequently used to damage a computer or to damage computer data. For example malware may be used to steal personal or financial information, blackmail computer users by denying access to their own data unless or until a fee is paid, or to damage infected computers by damaging data stored on those infected computers.
Furthermore, newly developed malware is increasingly difficult to identify. Frequently, until a particular sort of malware has been identified and characterized, conventional techniques that identify whether a communication includes malware can miss detecting the presence of that malware in the communication. This may occur when information in one or more received data packets is hidden or when the malware is not identifiable by a signature associated with the information in the received data packets.
Since computer data is frequently transmitted from computer to computer via one or more data packets, data packets are commonly scanned for malware at a firewall, at a network device, or on a computer of a user before they can be received or executed at a user device. Scanning methods, such as deep packet inspection (DPI) are not able to identify new malware threats, as they rely on pattern matching that identifies attributes or signatures of malicious computer data that have been previously identified and characterized. As such, conventional methods for identifying whether a received set of data packets includes malware may not be able to identify a new malware threat.
What are needed are new methods and systems that identify malware threats that have not been encountered before via dynamic behavior simulation of the given threat AND at the same time ensure real-time prevention/blocking of such threats by not being limited to just detection and logging of threats.
SUMMARY OF THE CLAIMED INVENTION
The presently claimed invention relates to a method, a non-transitory computer readable storage medium, or an apparatus executing functions consistent with the present disclosure for preventing malicious content from reaching a destination. A method consistent with the present disclosure may include receiving a plurality of data packets sent from a source computer to a destination computer, where each of those data packets sent from the source computer to the destination computer are then sent to the destination computer except for at least one packet. After those data packets are received, instructions associated with the plurality of data packets may be executed while actions associated with those instructions are observed. The observation of the execution of the instructions may identify an action performed by the executed instructions is an unauthorized action, and an identification that the plurality of data packets includes malware may be made when action performed is the unauthorized action. This method may also include not sending at least one data packet the destination computer when the malware is identified as being included in the plurality of data packets, thereby preventing the destination computer from receiving the malware in a functional state.
When the method of the presently claimed invention is performed by a non-transitory computer readable storage medium, a processor executing instructions out of a memory may also receive a plurality of data packets sent from a source computer to a destination computer, where each of those data packets sent from the source computer to the destination computer are then sent to the destination computer except for at least one packet. After those data packets are received, instructions associated with the plurality of data packets may be executed while actions associated with those instructions are observed. The observation of the execution of the instructions may identify an action performed by the executed instructions is an unauthorized action, and an identification that the plurality of data packets includes malware may be made when action performed is the unauthorized action. This method may also include not sending at least one data packet the destination computer when the malware is identified as being included in the plurality of data packets, thereby preventing the destination computer from receiving the malware in a functional state.
An apparatus of the presently claimed invention may include an analysis computer that receives a plurality of data packets sent from a source computer to a destination computer, the analysis computer including a memory, a processor executing instructions out of the memory, and a network interface that receives a plurality of data packets sent from a source computer to a destination computer, where each of those data packets sent from the source computer to the destination computer are then sent to the destination computer except for at least one packet. After those data packets are received, instructions associated with the plurality of data packets may be executed while actions associated with those instructions are observed. The observation of the execution of the instructions may identify an action performed by the executed instructions is an unauthorized action, and an identification that the plurality of data packets includes malware may be made when action performed is the unauthorized action. This method may also include not sending at least one data packet the destination computer when the malware is identified as being included in the plurality of data packets, thereby preventing the destination computer from receiving the malware in a functional state.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates a flow diagram consistent with the present disclosure where data included in downloaded data packets are received and analyzed for the presence of malware.
FIG. 2 illustrates an exemplary set of steps that may be performed when a set of data packets are received by a computing device.
FIG. 3 illustrates a set of steps that may be performed when data packets associated with a set of data packets are received.
FIG. 4 illustrates an exemplary set of program steps that may be performed when data packets associated with a set of data packets are analyzed by a computing device.
FIG. 5 illustrates a firewall communicating with an analysis computer when data packets sent from a source computer are received by and sent from the firewall.
FIG. 6 illustrates a computing system that may be used to implement an embodiment of the present invention.
 DETAILED DESCRIPTION
This disclosure is related to methods and apparatus used to for preventing malicious content from reaching a destination via a dynamic analysis engine may operate in real-time when packetized data is received. Data packets sent from a source computer to a destination computer may be initially received by a firewall and be forwarded to an analysis computer. The analysis computer may then monitor actions performed by executable program code included within the set of data packets when making determinations regarding whether the data packet set should be classified as malware. In certain instances all but a last data packet of the data packet set may also be sent to the destination computer while the analysis computer executes and monitors the program code included in the data packet set. By receiving performing operations on those data packets, such as forwarding those data packets to the analysis computer or not sending the last data packet to the destination computer, the firewall performs the function of “intercepting” data packets as it receives those data packets. The dynamic analysis may be performed in real-time or near real-time, thereby optimizing the efficiency of malware threat detection while optimizing network bandwidth. When the analysis is performed by a dedicated analysis engine may enable the performance of a firewall to be improved as wall.
When the analysis computer identifies that the data packet set does include malware, the malware may be blocked from reaching the destination computer by not sending the last data packet to the destination computer. The methods and apparatus described herein may also prepare data included in a set or stream of data packets for evaluations that may identify whether the malware is included in the data packet set.
As the computing device receives the data packets from the firewall, the computing device may prepare data included in the data packets for evaluation after which the computing device may analyze data included in the data packet set to see if that data includes malware. The preparation of the data in the data packets for evaluation may include de-obfuscating the data included in the data packets, where the de-obfuscation may include decrypting or reordering/resequencing data included in the data packets. When data packets are encrypted, data included in those data packets may by decrypted using decryption algorithm associated with a secure transfer session. In certain instances, a portion of the data included in the data packet set may be decrypted. The decryption may include XORing at least a portion of the data included in the data packet set with other data or with other data included in the data packet set. In certain instances decryption according to standard secure methods for delivering packages may be considers authorized functions, where unexpected decryptions may be associated with an unauthorized function. As such, the XORing of data in a packet set may be cause a data packet set to be classified as malware.
An Example of reordering/resequencing received data includes reorganizing received data according to an interleaving process that reshuffles. Such a process is similar to shuffling a deck of cards where each card is equivalent to one or more data bits/bytes. In such instances, data from different portions of a packet or from different packets may be reorganized forming an executable data set that may include malware. To accomplish this, code included in one or more packets may include instructions for reordering data included in the data set after it is received. The execution of those instructions may generate malicious code from data that has intentionally been obfuscated to prevent a deep packet inspection engine from detecting malware hidden within the data packet set.
The analysis of the data in the data packets may include executing program code included in the data packets and monitoring the execution of that program code when watching for unauthorized or suspicious actions performed by the program code. Unauthorized actions include, yet are not limited to writing to a boot block, updating a system registry, making changes to the file system, deleting computer data, copying data, transmitting data to another computer, or intercepting calls to a set of basic input/output instructions (BIOS) of a computer executing that program code. The intercepting of BIOS calls by the program code may be identified by observing program code replacing an original BIOS related command with another command or by observing that program code modifying parameters that were included in the original BIOS related command before the original BIOS command can be executed. As such, the analysis function may execute program code for the destination computer using a “Sandboxing” technique, thus allowing the program code to be evaluated for malware in a secure environment. In certain instances, methods and apparatus consistent with the present disclosure may combine “Sandboxing” with deep packet inspection (DPI). Once malware has been identified, signatures may be generated from the packet data for future use by processors that perform a DPI function. Sandboxing and DPI may be performed in parallel, thus detecting malware that has not been previously identified may be identified by a “Sandboxing” technique or detecting malware that has been previously identified may be identified via matching DPI techniques.
The analysis of data included in the data packet set may also observer the execution of program code and identify that the executed program code performs a function relating to organizing further instructions for execution from data included in the plurality of data packets. Once observed, this analysis may then classify this reorganization of data as an unauthorized action after which the data packet set may be blocked. As such, content included in a data set may be classified as malware based on how or what functions program code within that data set are performed.
Determinations relating to the identification of malware may also be based on a set of rules that identify what program behaviors are authorized or that are unauthorized. For example, a rule may be used to classify data within a data packet set as malware whenever data within that data set is reorganized/reshuffled or when data within that data set is manipulated or de-obfuscated by an XOR function. Alternatively another rule may indicated that the decryption of packet data is acceptable as long as it is performed in a manner consistent with a standard or expected type of decryption (such as decryption associated with a TCP communication). This other rule may also indicate that further analysis of program data is required after the decryption has been performed.
Even in instances where the reorganization of data is observed, methods consistent with the present disclosure may include continuing the analysis of program code included in a data packet set with the intent of identifying whether that program code performs malicious actions and what malicious acts it does perform. Furthermore, signatures may be generated from the reorganized data for later use by a deep packet inspection (DPI) engine, for example.
FIG. 1 illustrates a flow diagram consistent with the present disclosure where data included in downloaded data packets are received and analyzed for the presence of malware. Step 105 of FIG. 1 receives a packet associated with a set of packets. After the packet of the packet set is received in step 105, step 110 of FIG. 1 identifies whether the received packet is a last packet of the data set, when no program flow flows to step 115 where the received packet is sent to a destination and to a computing device. At the point in time when the received packet is sent to the destination and to the computing device, no determination has been made as to whether the packet set includes malware. In certain instances, the computing device may be a computer in the Cloud that is accessible via the Internet and the computing device may perform a service of identifying whether received data packet sets include malware. These services may be provided for subscribed users. Alternatively, the computing device may reside in a corporate network or be part of a computer network associated with a user computer that is a destination associated with a set of data packets. In certain instances, a computer that initially receives data packets may also be the computing device that performs operations relating to identifying whether received data packets include malware. In other instances more than one computer may perform these functions, for example a firewall could receive data packets and send them to another computer for analysis.
After step 115, program flow moves to step 120 where operations are performed with the received packet at the computing device. Operations performed at the computing device may include de-obfuscating information in the data packet, may include resequencing the order of received data, or may include any operation that renders or transforms received information associated with the received set of packets into a form executable by a processor. As such, operations performed in step 120 may be related to decryption of data included in received packets, executing sets of instructions that re-sorts the order of instructions included in the received packets, and/or executing instructions included in the received data packets.
After step 120, determination step 125 of FIG. 1 identifies whether malware has been detected/identified in the packet set. When step 125 identifies that the data packet set includes malware, program flow moves to step 130 where a corrective action may be performed. This corrective action may include dropping a connection associated with the received packets, stopping the receipt of data packets, or stopping the re-transmission of packets associated with the packet set. Corrective actions may also include storing information that helps characterize or identify that a source of the packets is not a reputable source of data packets. Another corrective action may relate to storing signatures or other identifying attributes associated with the received data packets, such that these signatures or identifying attributes may be used to more rapidly identify the malware when subsequently received. As such, the methods and apparatus consistent with the present disclosure may combine “Sandboxing,” where instructions included in a data packet set are executed at the computing device, with deep packet inspection (DPI) that identifies patterns or signatures that have been previously identified as being malicious.
When the received data packets include executable code, all of the data packets associated with the packet set being received may have to be received by the computing device before the executable code is executed at the computing device. As such, program flow may alternatively not include step 125 being performed after step 120. In such instances, program flow may flow from step 120 back to step 105 without performing step 125. When malware is not detected, program flow moves from step 125 to step 105 where additional data packets may be received.
When determination step 110 identifies that the received data packet is the last data packet, the last data packet may be sent to the computing device in step 135 of FIG. 1 . Next, in step 140 of FIG. 1 operations may be performed with data included in the last packet and operations associated may be performed after the data packet set is received in its entirety. As such, the operations included in step 140 may include some or all of the operations discussed in respect to step 120 of FIG. 1 . In instances where data packets are received out-of-order, the last packet received may not be a packet that is truly the last packet of a packet set, yet may be a last received packet of the packet set.
After step 140, determination step 145 identifies whether malware is detected in the packet set. When malware is detected, program flow moves to step 130 where one or more corrective actions may be performed. Here again corrective actions may include dropping a connection associated with the received packets, stopping the receipt of data packets, stopping the re-transmission of packets associated with the packet set, storing information that helps characterize or identify that a source of the packets is not a reputable source of data packets, and/or storing signatures or other identifying attributes associated with the received data packets. Furthermore, these signatures or identifying attributes may be used to more rapidly identify the malware when subsequently encountered.
When malware is not detected in the set of packets, program flow may move from step 145 to step 150 of FIG. 1 , where the last packet is sent to the destination.
FIG. 2 illustrates an exemplary set of steps that may be performed when a set of data packets are received by a computing device. Here again, all by a last data packet of the data packet set may be sent to the destination computer while another computer evaluates data included in the data packet set for malware. The not transmitting of the last data packet to the destination computer in step 210 of FIG. 2 may cause the computer that sent to data packet set to identify that the last data packet was “dropped” or “lost” in transmission.
After step 210, step 220 of FIG. 2 identifies whether a determination has been made relating to whether the data packet set includes malware. When a determination has not yet been made in determination step 220, program flow may move from step 220 to step 270 the last data packet may be dropped, then program flow moves to step 280 where a retransmission of the last data packet is received. The retransmission of the last data packet may have been performed by the computer that originally sent the data packet set based on that sending computer not receiving an acknowledgement indicating that the last data packet was received at the destination computer. Such retransmissions are a part of the standard operation of packetized data transfer of computer data, for example, communications sent via the transmission control protocol (TCP) will be retransmitted from a sending computer when the sending computer does not receive an acknowledgment indicating that a particular data packet was received by a destination computer.
After step 270, program flow moves back to step 210 where the last data packet is dropped again. Program flow may move from step 210, to step 220, to step 270, and back to step 210 repetitively until a determination has been made in step 220.
After a determination has been made in step 220, step 240 may identify whether malware has been detected in the data packet set. When malware has been detected in the data packet set, program flow may move from step 240 to step 250 of FIG. 2 , where a corrective action is performed. Here again the corrective action performed may correspond to one or more of the corrective actions discussed in respect to FIG. 1 above.
When step 240 indicates that malware is not detected in the set of data packets, program flow moves from step 240 to step 260 where the last data packet is sent to the destination.
FIG. 3 illustrates a set of steps that may be performed when data packets associated with a set of data packets are received. Step 310 is a step where data included in one or more data packets of the data packet set are de-obfuscated. This de-obfuscation operation may include one or more steps, including, yet not limited to decrypting data in the received data packets or resequencing data in the data packets.
After step 310, step 320 may execute one or more instructions included in or associated with the received set of data packets. Step 330 of FIG. 3 is a step where actions performed when the instructions are executed are observed. After step 330, step 340 identifies whether any unauthorized action is performed by the executable code when it executes. Unauthorized actions are actions where program code included in a set of data packets accesses or send information that is considered inappropriate. Unauthorized action may also include writes to one or more data storage locations that are considered sensitive. Examples of unauthorized actions include, yet are not limited to accessing or transmitting data: such as registry data, passwords, user account information, WEB browsing historical information, file system data, and or financial information. Additional examples of unauthorized action include writing to a computer registry, writing to the boot block of a data storage device, such as writing to Logical Block Address zero (LBA 0) of a disk drive, writing to a data storage location where program data is stored, and/or the operation of code that prevents the normal operation or booting of a computer system. Such unauthorized actions can significantly affect the performance of a destination computer or can render the computer system unusable by a user. For example, overwriting LBA 0 of a disk drive can prevent the booting of a computer system because LBA 0 is typically used to store data that is required for that computer to boot (startup and initialize).
When an unauthorized action is identified in step 340, program flow may move from step 340 to step 350 of FIG. 3 . Here again corrective actions performed may include any of the corrective actions discussed in respect to FIG. 1 .
When an unauthorized action is not identified in step 340, program flow may move to step 360 that determines whether the execution of the instructions included in the set of data packets has completed, when no program flow moves from step 360 back to step 320 where the execution of the instructions included in the data packet set are continued.
When step 360 identifies that the instructions included in the data packet set have completed, program flow moves to step 370 where the last packet associated with the data packet set is sent to the destination.
FIG. 4 illustrates an exemplary set of program steps that may be performed when data packets associated with a set of data packets are analyzed by a computing device. These data packets may be analyzed after a user request to access a webpage universal resource locator (URL) or to download a file has been received from a destination computer. Step 410 of FIG. 4 is a step where identification that the destination computer has attempted to download a set of data packets is made. This identification may be made immediately as the destination computer attempts to download the data packet set. After step 410, step 420 of FIG. 4 is where the set of data packets is analyzed for the presence of Malware.
Next, a determination as to whether the malware analysis of the set of data packets has completed may be performed in step 430 of FIG. 4 . When the malware analysis has not yet completed, program flow moves to step 440 where the analysis of the data packet set is continued, after which program flow moves back to step 430 of FIG. 4 . When this analysis continues, a message (not illustrated) may be sent to the destination computer for presentation to a user. The message may indicate that a background process associated with analyzing the set of data packets is being performed to determine whether those data packets include malware or whether they are benign (appear to be free of malware). This message may also inform the user that data related to the attempted download will be provided to the destination computer if the analysis indicates that the download does not include malware.
When step 440 identifies that the malware analysis has completed, program flow moves to step 450 that identifies whether malware has been detected in the packet set. When malware has been detected in the packet set, program flow moves to step 460 where a corrective action is performed. This corrective action may include blocking the download (not sending a last or remaining packet to the destination device) and may also include sending a message to the destination computer to inform the user that malware has been detected in the download data.
When malware is identified as not being present in the download data in step 440, one or more data packets may be allowed to be sent to the destination computer, such that the destination computer receives the requested downloadable data. The steps of FIG. 4 may be performed by one or more computing devices that analyze the content of data packets as a background task that the user does not have to actively manage. Even when the analysis of the receive data packets takes a significant amount of time, the user of the destination computer will be free to perform other tasks while malware analysis is being performed.
The method of FIG. 4 may prevent a user from attempting to download a specific file, data set, or webpage repetitively. In instances where a user does repetitively attempt to download the same file while an analysis is being performed, they may be provided a message that indicates that a “verdict” relating to whether the download includes malware is still “pending.” Repetitive requests may be intercepted by a computer, such as a firewall, and not be sent to the source computer from which the download has been requested, thus preventing the source computer from receiving repetitive requests and saving network bandwidth at a home network that might otherwise be consumed performing unnecessary repetitive data transfers related to the repetitive requests. One or more computers implementing the functionality of FIG. 4 may perform functions associated with receiving a data set, analyzing that data set, managing the delivery of the data set to a destination computer, or may perform a repetitive download of that data set only as required, without the user of the destination computer attempting to repetitively download the data set.
While the receiving and transmission of data packets of the present disclosure may be performed by a firewall and while the analysis of data contained within those data packets and “Sandboxing” may be performed by an analysis computer, these actions may alternatively be performed by a single computer.
FIG. 5 illustrates a firewall communicating with an analysis computer when data packets sent from a source computer are received by and sent from the firewall. FIG. 5 includes a source computer 510, a firewall 530, an analysis computer 550, and a destination computer 570. FIG. 5 also includes communications 520 sent to/from the destination computer 570 via firewall 530, communications 560 sent to/from the destination computer 570, and communications 550 sent between the firewall 530 and the analysis computer 550. Note that communications 520 may be transmitted over a computer network such as the Internet, that communications 560 may be sent over computer network interfaces at the firewall 530 and at the destination computer 560, and that communications 540 may be sent between the firewall and the analysis computer via computer network interfaces at the firewall 530 and the analysis computer 550. Note also that any of the computer networks over which communications 520, 540, and 560 are sent may include wired or wireless network interfaces. Analysis computer 550 may also be remote from firewall 530 and analysis computer 550 may reside in the Cloud. Network interfaces associated with the present disclosure may include any form of wired or wireless network interface known in the art.
The various components of FIG. 5 may implement functions associated with the receipt and analysis of computer data that may have been requested by destination computer 570 and have been provided by source computer 510. In such instances, firewall 530 and analysis computer 550 may perform functions consistent with receiving packets, providing messages, or analyzing computer data sent from source computer 510 when identifying whether the requested downloaded data includes malicious content. As such fire wall 530 and analysis computer 550 may perform functions consistent with the present disclosure, including those functions described in respect to FIGS. 1-4 .
FIG. 6 illustrates a computing system that may be used to implement an embodiment of the present invention. The computing system 600 of FIG. 6 includes one or more processors 610 and main memory 620. Main memory 620 stores, in part, instructions and data for execution by processor 610. Main memory 620 can store the executable code when in operation. The system 600 of FIG. 6 further includes a mass storage device 630, portable storage medium drive(s) 640, output devices 650, user input devices 660, a graphics display 670, peripheral devices 680, and network interface 695.
The components shown in FIG. 6 are depicted as being connected via a single bus 690. However, the components may be connected through one or more data transport means. For example, processor unit 610 and main memory 620 may be connected via a local microprocessor bus, and the mass storage device 630, peripheral device(s) 680, portable storage device 640, and display system 670 may be connected via one or more input/output (I/O) buses.
Mass storage device 630, which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 610. Mass storage device 630 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 620.
Portable storage device 640 operates in conjunction with a portable non-volatile storage medium, such as a FLASH memory, compact disk or Digital video disc, to input and output data and code to and from the computer system 600 of FIG. 6 . The system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 600 via the portable storage device 640.
Input devices 660 provide a portion of a user interface. Input devices 660 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys. Additionally, the system 600 as shown in FIG. 6 includes output devices 650. Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
Display system 670 may include a liquid crystal display (LCD), a plasma display, an organic light-emitting diode (OLED) display, an electronic ink display, a projector-based display, a holographic display, or another suitable display device. Display system 670 receives textual and graphical information, and processes the information for output to the display device. The display system 670 may include multiple-touch touchscreen input capabilities, such as capacitive touch detection, resistive touch detection, surface acoustic wave touch detection, or infrared touch detection. Such touchscreen input capabilities may or may not allow for variable pressure or force detection.
Peripherals 680 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 680 may include a modem or a router.
Network interface 595 may include any form of computer interface of a computer, whether that be a wired network or a wireless interface. As such, network interface 595 may be an Ethernet network interface, a BlueTooth™ wireless interface, an 802.11 interface, or a cellular phone interface.
The components contained in the computer system 600 of FIG. 6 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art. Thus, the computer system 600 of FIG. 6 can be a personal computer, a hand held computing device, a telephone (“smart” or otherwise), a mobile computing device, a workstation, a server (on a server rack or otherwise), a minicomputer, a mainframe computer, a tablet computing device, a wearable device (such as a watch, a ring, a pair of glasses, or another type of jewelry/clothing/accessory), a video game console (portable or otherwise), an e-book reader, a media player device (portable or otherwise), a vehicle-based computer, some combination thereof, or any other computing device. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. The computer system 600 may in some cases be a virtual computer system executed by another computer system. Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, Android, iOS, and other suitable operating systems.
The present invention may be implemented in an application that may be operable using a variety of devices. Non-transitory computer-readable storage media refer to any medium or media that participate in providing instructions to a central processing unit (CPU) for execution. Such media can take many forms, including, but not limited to, non-volatile and volatile media such as optical or magnetic disks and dynamic memory, respectively. Common forms of non-transitory computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, magnetic tape, any other magnetic medium, a CD-ROM disk, digital video disk (DVD), any other optical medium, RAM, PROM, EPROM, a FLASHEPROM, and any other memory chip or cartridge.
The present invention may be implemented in an application that may be operable using a variety of devices. Non-transitory computer-readable storage media refer to any medium or media that participate in providing instructions to a central processing unit (CPU) for execution. Such media can take many forms, including, but not limited to, non-volatile and volatile media such as optical or magnetic disks and dynamic memory, respectively. Common forms of non-transitory computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, magnetic tape, any other magnetic medium, a CD-ROM disk, digital video disk (DVD), any other optical medium, RAM, PROM, EPROM, a FLASHEPROM, and any other memory chip or cartridge.
While various flow diagrams provided and described above may show a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary (e.g., alternative embodiments can perform the operations in a different order, combine certain operations, overlap certain operations, etc.).
The foregoing detailed description of the technology herein has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the technology to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen in order to best explain the principles of the technology and its practical application to thereby enable others skilled in the art to best utilize the technology in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the technology be defined by the claim.

Claims (21)

What is claimed is:
1. A method for detecting malicious content, the method comprising:
receiving data at a sandbox device, wherein the data is received from a separate firewall device after the separate firewall device receives the data from a sender device, a first portion of the data being sent to a destination device while holding a second portion of the data at the firewall device until at least after an observation of the data at the sandbox device;
observing that a first action is performed when instructions included in the received data are executed at the sandbox device;
identifying that the first action is suspicious and includes reorganizing at least a portion of the received data;
observing an additional action performed when instructions included in the reorganized data portion are executed at the sandbox device, wherein the additional action includes accessing an inappropriate data storage location;
identifying that the additional action is classified as malicious; and
performing a second action based on the additional action being classified as malicious, wherein the second action occurs after the observation of the data at the sandbox device.
2. The method of claim 1, further comprising sending a message to the firewall device identifying that the received data is malicious, wherein the firewall device drops the second portion of the data based on the message indicating that the received data is malicious.
3. The method of claim 1, further comprising:
identifying an attribute associated with the received data; and
storing the attribute associated with the received data.
4. The method of claim 1, further comprising:
generating a signature from the received data; and
storing the signature at a deep packet inspection data store.
5. The method of claim 1, wherein the first action includes intercepting a basic input/output (BIOS) instruction.
6. The method of claim 1, wherein the first action includes accessing an inappropriate data storage location.
7. The method of claim 1, wherein the first action includes de-obfuscating the additional instructions included in the received data.
8. The method of claim 1, wherein the additional action or the second action includes preparing to transmit data from the sandbox device.
9. The method of claim 1, further comprising:
receiving a second set of data at the sandbox device, wherein the second set of data is received from the separate firewall device after the separate firewall device receives the second set of data;
observing one or more actions performed when instructions included in the second set of received data are executed; and
performing a deep packet inspection (DPI) scan on the second set of data while observing the one or more actions performed when the instructions included in the second set of received data are executed.
10. The method of claim 9, wherein the one or more actions are observed while the DPI scan is performed based on the sandbox device being a multi-processor platform.
11. The method of claim 9, further comprising:
identifying based on the observing of the one or more performed actions that the second set of data includes malicious instructions;
storing a signature generated from the second set of data;
generating a second signature from a third set of received data;
identifying that the signature matches the second signature; and
identifying that the third set of data includes the malicious instructions based on the signature matching the second signature.
12. A non-transitory computer-readable storage medium having embodied thereon a program executable by a processor for implementing a method for detecting malicious content, the method comprising:
receiving data at a sandbox device, wherein the data is received from a separate firewall device after the separate firewall device receives the data from a sender device, a first portion of the data being sent to a destination device while holding a second portion of the data at the firewall device until at least after an observation of the data at the sandbox device;
observing that a first action is performed when instructions included in the received data are executed at the sandbox device;
identifying that the first action is suspicious and includes reorganizing at least a portion of the received data;
observing an additional action performed when instructions included in the reorganized data portion are executed at the sandbox device, wherein the additional action includes accessing an inappropriate data storage location;
identifying that the additional action is classified as malicious; and
performing a second action based on the additional action being classified as malicious, wherein the second action occurs after the observation of the data at the sandbox device.
13. The non-transitory computer-readable storage medium of claim 12, the program is further executable to send a message to the firewall device identifying that the received data is malicious, wherein the firewall device drops the second portion of the data based on the message indicating that the received data is malicious.
14. The method of claim 12, further comprising:
identifying an attribute associated with the received data; and
storing the attribute associated with the received data.
15. The method of claim 12, further comprising:
generating a signature from the received data; and
storing the signature at a deep packet inspection data store.
16. The non-transitory computer-readable storage medium of claim 12, wherein the first action includes intercepting a basic input/output (BIOS) instruction.
17. The non-transitory computer-readable storage medium of claim 12, wherein the first action includes accessing an inappropriate data storage location.
18. A system for detecting malicious content, the system comprising:
a firewall device that:
receives a data set based on information received from a destination device;
sends the data set for analysis,
sends a first portion of the data set to the destination device, and
holds a second portion of the data set at the firewall device without immediately sending the second portion of the data set to the destination device; and
a sandbox device that is separate from the firewall device, wherein the sandbox device:
receives the data set from the firewall device,
performs the analysis,
observes that a first action is performed when instructions included in the first data set are executed based on the analysis,
identifies that the first action is suspicious and includes reorganizing at least a portion of the received data,
observes that an additional action is performed when instructions included in the reorganized data portion are executed at the sandbox device, wherein the additional action includes accessing an inappropriate data storage location,
identifies that the additional action is classified as malicious, and
performs a second action based on the additional action being classified as malicious, wherein the second action occurs after the observation of the data at the sandbox device.
19. The system of claim 18, wherein the sandbox device further:
identifies an attribute associated with the received data; and
stores the attribute associated with the received data.
20. The system of claim 18, wherein the sandbox device further:
generates a signature from the received data; and
stores the signature at a deep packet inspection data store.
21. The system of claim 18, wherein the first action includes intercepting a basic input/output (BIOS) instruction.
US17/128,639 2017-08-08 2020-12-21 Real-time prevention of malicious content via dynamic analysis Active 2038-03-03 US11558405B2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US17/128,639 US11558405B2 (en) 2017-08-08 2020-12-21 Real-time prevention of malicious content via dynamic analysis
US17/949,796 US20230020421A1 (en) 2017-08-08 2022-09-21 Real-time prevention of malicious content via dynamic analysis

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/671,445 US10873589B2 (en) 2017-08-08 2017-08-08 Real-time prevention of malicious content via dynamic analysis
US17/128,639 US11558405B2 (en) 2017-08-08 2020-12-21 Real-time prevention of malicious content via dynamic analysis

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US15/671,445 Continuation US10873589B2 (en) 2017-08-08 2017-08-08 Real-time prevention of malicious content via dynamic analysis

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/949,796 Continuation US20230020421A1 (en) 2017-08-08 2022-09-21 Real-time prevention of malicious content via dynamic analysis

Publications (2)

Publication Number Publication Date
US20210185062A1 US20210185062A1 (en) 2021-06-17
US11558405B2 true US11558405B2 (en) 2023-01-17

Family

ID=65271836

Family Applications (3)

Application Number Title Priority Date Filing Date
US15/671,445 Active US10873589B2 (en) 2017-08-08 2017-08-08 Real-time prevention of malicious content via dynamic analysis
US17/128,639 Active 2038-03-03 US11558405B2 (en) 2017-08-08 2020-12-21 Real-time prevention of malicious content via dynamic analysis
US17/949,796 Pending US20230020421A1 (en) 2017-08-08 2022-09-21 Real-time prevention of malicious content via dynamic analysis

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US15/671,445 Active US10873589B2 (en) 2017-08-08 2017-08-08 Real-time prevention of malicious content via dynamic analysis

Family Applications After (1)

Application Number Title Priority Date Filing Date
US17/949,796 Pending US20230020421A1 (en) 2017-08-08 2022-09-21 Real-time prevention of malicious content via dynamic analysis

Country Status (4)

Country Link
US (3) US10873589B2 (en)
EP (2) EP3665573B1 (en)
ES (1) ES2936860T3 (en)
WO (1) WO2019032702A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210120020A1 (en) * 2019-04-05 2021-04-22 Material Security Inc. Defanging malicious electronic files based on trusted user reporting
US11797677B2 (en) 2018-05-14 2023-10-24 Sonicwall Inc. Cloud based just in time memory analysis for malware detection

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10873589B2 (en) 2017-08-08 2020-12-22 Sonicwall Inc. Real-time prevention of malicious content via dynamic analysis
US11240207B2 (en) 2017-08-11 2022-02-01 L3 Technologies, Inc. Network isolation
US11601467B2 (en) 2017-08-24 2023-03-07 L3 Technologies, Inc. Service provider advanced threat protection
US11374906B2 (en) * 2017-09-28 2022-06-28 L3 Technologies, Inc. Data exfiltration system and methods
US11336619B2 (en) 2017-09-28 2022-05-17 L3 Technologies, Inc. Host process and memory separation
US11552987B2 (en) 2017-09-28 2023-01-10 L3 Technologies, Inc. Systems and methods for command and control protection
US11151252B2 (en) 2017-10-13 2021-10-19 Sonicwall Inc. Just in time memory analysis for malware detection
US11550898B2 (en) 2017-10-23 2023-01-10 L3 Technologies, Inc. Browser application implementing sandbox based internet isolation
US10685110B2 (en) 2017-12-29 2020-06-16 Sonicwall Inc. Detection of exploitative program code
US10902122B2 (en) 2018-01-31 2021-01-26 Sonicwall Inc. Just in time memory analysis for malware detection
CN110012000B (en) * 2019-03-29 2021-07-06 深圳市腾讯计算机系统有限公司 Command detection method and device, computer equipment and storage medium
US11620382B2 (en) * 2020-02-18 2023-04-04 AT&T Technical Services Company, Inc. Targeting and security audit for digital content
US11748460B2 (en) * 2020-04-27 2023-09-05 Imperva, Inc. Procedural code generation for challenge code
US11347321B1 (en) 2021-03-23 2022-05-31 Dell Products L.P. Security hardened function keys and indicators
US20230017989A1 (en) * 2021-07-15 2023-01-19 Barracuda Networks, Inc. System and method for in detection of malicious behavior in software updates to prevent software supply chain attacks

Citations (73)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6154844A (en) 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US20020009079A1 (en) * 2000-06-23 2002-01-24 Jungck Peder J. Edge adapter apparatus and method
US20030033542A1 (en) 2001-06-11 2003-02-13 Mcnc Intrusion tolerant communication networks and associated methods
US20030140248A1 (en) 2002-01-24 2003-07-24 David Izatt Undetectable firewall
US6804780B1 (en) 1996-11-08 2004-10-12 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6965968B1 (en) 2003-02-27 2005-11-15 Finjan Software Ltd. Policy-based caching
US7058822B2 (en) 2000-03-30 2006-06-06 Finjan Software, Ltd. Malicious mobile code runtime monitoring system and methods
US20060224724A1 (en) * 2005-03-31 2006-10-05 Microsoft Corporation Latency free scanning of malware at a network transit point
US20070157203A1 (en) 2005-12-29 2007-07-05 Blue Jungle Information Management System with Two or More Interactive Enforcement Points
US20070261112A1 (en) * 2006-05-08 2007-11-08 Electro Guard Corp. Network Security Device
US20080016339A1 (en) 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
US20090070876A1 (en) 2007-09-07 2009-03-12 Kim Yun Ju Apparatus and method for detecting malicious process
US7523502B1 (en) 2006-09-21 2009-04-21 Symantec Corporation Distributed anti-malware
US7613926B2 (en) 1997-11-06 2009-11-03 Finjan Software, Ltd Method and system for protecting a computer and a network from hostile downloadables
US20100024033A1 (en) 2008-07-23 2010-01-28 Kang Jung Min Apparatus and method for detecting obfuscated malicious web page
US20100185876A1 (en) * 2009-01-20 2010-07-22 Kings Information & Network Keyboard-input information-security apparatus and method
US20100269171A1 (en) * 2009-04-20 2010-10-21 Check Point Software Technologies, Ltd. Methods for effective network-security inspection in virtualized environments
US20110047620A1 (en) 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
US20110078794A1 (en) 2009-09-30 2011-03-31 Jayaraman Manni Network-Based Binary File Extraction and Analysis for Malware Detection
US7934103B2 (en) 2002-04-17 2011-04-26 Computer Associates Think, Inc. Detecting and countering malicious code in enterprise networks
US7962959B1 (en) 2010-12-01 2011-06-14 Kaspersky Lab Zao Computer resource optimization during malware detection using antivirus cache
US7971255B1 (en) 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
US7975305B2 (en) 1997-11-06 2011-07-05 Finjan, Inc. Method and system for adaptive rule-based content scanners for desktop computers
US20110277033A1 (en) 2010-05-06 2011-11-10 Mcafee, Inc. Identifying Malicious Threads
US8104089B1 (en) 2007-12-31 2012-01-24 Symantec Corporation Tracking memory mapping to prevent packers from evading the scanning of dynamically created code
US8141154B2 (en) 2005-12-12 2012-03-20 Finjan, Inc. System and method for inspecting dynamically generated executable code
US8146151B2 (en) 2008-02-27 2012-03-27 Microsoft Corporation Safe file transmission and reputation lookup
US8225408B2 (en) 1997-11-06 2012-07-17 Finjan, Inc. Method and system for adaptive rule-based content scanners
US8276202B1 (en) 2009-06-30 2012-09-25 Aleksandr Dubrovsky Cloud-based gateway security scanning
US20120266243A1 (en) 2011-04-14 2012-10-18 F-Secure Corporation Emulation for malware detection
US8307432B1 (en) 2008-10-07 2012-11-06 Trend Micro Incorporated Generic shellcode detection
US20130080625A1 (en) * 2011-09-27 2013-03-28 Fujitsu Limited Monitoring apparatus, control method, and computer-readable recording medium
US8413235B1 (en) 2010-09-10 2013-04-02 Symantec Corporation Malware detection using file heritage data
US20130091584A1 (en) 2011-10-05 2013-04-11 Mcafee, Inc. Distributed System and Method for Tracking and Blocking Malicious Internet Hosts
US8539578B1 (en) 2010-01-14 2013-09-17 Symantec Corporation Systems and methods for defending a shellcode attack
US8595829B1 (en) 2009-04-30 2013-11-26 Symantec Corporation Systems and methods for automatically blacklisting an internet domain based on the activities of an application
US8645923B1 (en) 2008-10-31 2014-02-04 Symantec Corporation Enforcing expected control flow in program execution
US8677494B2 (en) 1997-01-29 2014-03-18 Finjan, Inc. Malicious mobile code runtime monitoring system and methods
US20140181976A1 (en) 2011-05-06 2014-06-26 The University Of North Carolina At Chapel Hill Methods, systems, and computer readable media for detecting injected machine code
US20140208426A1 (en) 2008-05-28 2014-07-24 Zscaler, Inc. Systems and methods for dynamic cloud-based malware behavior analysis
US20140215621A1 (en) 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security
US8832836B2 (en) 2010-12-30 2014-09-09 Verisign, Inc. Systems and methods for malware detection and scanning
US8910238B2 (en) 2012-11-13 2014-12-09 Bitdefender IPR Management Ltd. Hypervisor-based enterprise endpoint protection
US20150089651A1 (en) 2013-07-15 2015-03-26 Eset, Spol. S R.O. Methods of detection of software exploitation
US20150096022A1 (en) 2013-09-30 2015-04-02 Michael Vincent Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US20150096018A1 (en) 2013-09-27 2015-04-02 Bitdefender IPR Management Ltd. Systems and Methods for Using a Reputation Indicator to Facilitate Malware Scanning
US20150227742A1 (en) 2014-02-12 2015-08-13 Symantec Corporation Systems and methods for scanning packed programs in response to detecting suspicious behaviors
US9141794B1 (en) 2009-03-10 2015-09-22 Trend Micro Incorporated Preemptive and/or reduced-intrusion malware scanning
US9202048B2 (en) 2010-01-27 2015-12-01 Mcafee, Inc. Method and system for discrete stateful behavioral analysis
US20160099963A1 (en) 2008-10-21 2016-04-07 Lookout, Inc. Methods and systems for sharing risk responses between collections of mobile communications devices
US20160098560A1 (en) 2012-07-13 2016-04-07 Cisco Technology, Inc. Method and apparatus for retroactively detecting malicious or otherwise undesirable software as well as clean software through intelligent rescanning
US9355247B1 (en) 2013-03-13 2016-05-31 Fireeye, Inc. File extraction from memory dump for malicious content analysis
US9411953B1 (en) 2013-05-24 2016-08-09 Symantec Corporation Tracking injected threads to remediate malware
US9516055B1 (en) 2015-05-29 2016-12-06 Trend Micro Incorporated Automatic malware signature extraction from runtime information
US20160357958A1 (en) 2015-06-08 2016-12-08 Michael Guidry Computer System Security
US20160378640A1 (en) 2015-06-26 2016-12-29 AVAST Software s.r.o. Dynamic binary translation and instrumentation with postponed attachment to running native threads
US20170171240A1 (en) 2015-12-09 2017-06-15 Check Point Software Technologies Ltd. Method and system for identifying uncorrelated suspicious events during an attack
US20170289176A1 (en) * 2016-03-31 2017-10-05 International Business Machines Corporation Internet of things security appliance
US20170329621A1 (en) 2011-02-08 2017-11-16 Pegasystems Inc. Code injection and code interception in an operating system with multiple subsystem environments
US9836604B2 (en) 2015-01-30 2017-12-05 International Business Machines Corporation File integrity preservation
US20180018459A1 (en) 2016-07-15 2018-01-18 Trustlook Inc. Notification of Maliciousness Categorization of Application Programs for Mobile Devices
GB2553033A (en) 2017-06-29 2018-02-21 F Secure Corp Protection from malicious and/or harmful content in cloud-based service scenarios
US20180052720A1 (en) 2016-08-18 2018-02-22 Crowdstrike, Inc. Tracing System Operations Across Remote Procedure Linkages to Identify Request Originators
US9990497B2 (en) 2012-11-06 2018-06-05 Forensic Scan, LLC Method to scan a forensic image of a computer system with multiple malicious code detection engines simultaneously from a master control point
US20190052651A1 (en) 2017-08-08 2019-02-14 Sonicwall Inc. Real-time prevention of malicious content via dynamic analysis
US10210329B1 (en) 2015-09-30 2019-02-19 Fireeye, Inc. Method to detect application execution hijacking using memory protection
US20190065740A1 (en) 2017-08-29 2019-02-28 Red Hat, Inc. Generation of a random value for a child process
US20190114421A1 (en) 2017-10-13 2019-04-18 Sonicwall Inc. Just in time memory analysis for malware detection
WO2019133637A1 (en) 2017-12-29 2019-07-04 Sonicwall Inc. Detection of exploitative program code
US20190236275A1 (en) 2018-01-31 2019-08-01 Sonicwall Inc. Just in time memory analysis for malware detection
US20190342313A1 (en) 2018-05-03 2019-11-07 Sophos Limited Method for conditionally hooking endpoint processes with a security agent
US20190347413A1 (en) 2018-05-14 2019-11-14 Sonicwall Inc. Cloud based just in time memory analysis for malware detection
US20190354680A1 (en) 2018-05-21 2019-11-21 International Business Machines Corporation Identifying malicious executing code of an enclave

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7990967B2 (en) * 2005-01-06 2011-08-02 Rockwell Automation Technologies, Inc. Firewall method and apparatus for industrial systems
US8327137B1 (en) * 2005-03-25 2012-12-04 Advanced Micro Devices, Inc. Secure computer system with service guest environment isolated driver
US8353037B2 (en) * 2009-12-03 2013-01-08 International Business Machines Corporation Mitigating malicious file propagation with progressive identifiers
US8893278B1 (en) * 2011-07-12 2014-11-18 Trustwave Holdings, Inc. Detecting malware communication on an infected computing device
US9430646B1 (en) * 2013-03-14 2016-08-30 Fireeye, Inc. Distributed systems and methods for automatically detecting unknown bots and botnets
US20150277742A1 (en) 2014-04-01 2015-10-01 Cheng Uei Precision Industry Co., Ltd. Wearable electronic device
US9882929B1 (en) * 2014-09-30 2018-01-30 Palo Alto Networks, Inc. Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network

Patent Citations (88)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6804780B1 (en) 1996-11-08 2004-10-12 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6154844A (en) 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US8677494B2 (en) 1997-01-29 2014-03-18 Finjan, Inc. Malicious mobile code runtime monitoring system and methods
US7613926B2 (en) 1997-11-06 2009-11-03 Finjan Software, Ltd Method and system for protecting a computer and a network from hostile downloadables
US7975305B2 (en) 1997-11-06 2011-07-05 Finjan, Inc. Method and system for adaptive rule-based content scanners for desktop computers
US8225408B2 (en) 1997-11-06 2012-07-17 Finjan, Inc. Method and system for adaptive rule-based content scanners
US7058822B2 (en) 2000-03-30 2006-06-06 Finjan Software, Ltd. Malicious mobile code runtime monitoring system and methods
US7647633B2 (en) 2000-03-30 2010-01-12 Finjan Software, Ltd. Malicious mobile code runtime monitoring system and methods
US20020009079A1 (en) * 2000-06-23 2002-01-24 Jungck Peder J. Edge adapter apparatus and method
US20030033542A1 (en) 2001-06-11 2003-02-13 Mcnc Intrusion tolerant communication networks and associated methods
US20030140248A1 (en) 2002-01-24 2003-07-24 David Izatt Undetectable firewall
US7934103B2 (en) 2002-04-17 2011-04-26 Computer Associates Think, Inc. Detecting and countering malicious code in enterprise networks
US6965968B1 (en) 2003-02-27 2005-11-15 Finjan Software Ltd. Policy-based caching
US7971255B1 (en) 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
US20060224724A1 (en) * 2005-03-31 2006-10-05 Microsoft Corporation Latency free scanning of malware at a network transit point
US8141154B2 (en) 2005-12-12 2012-03-20 Finjan, Inc. System and method for inspecting dynamically generated executable code
US20070157203A1 (en) 2005-12-29 2007-07-05 Blue Jungle Information Management System with Two or More Interactive Enforcement Points
US20070261112A1 (en) * 2006-05-08 2007-11-08 Electro Guard Corp. Network Security Device
US20080016339A1 (en) 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
US7523502B1 (en) 2006-09-21 2009-04-21 Symantec Corporation Distributed anti-malware
US20090070876A1 (en) 2007-09-07 2009-03-12 Kim Yun Ju Apparatus and method for detecting malicious process
US8104089B1 (en) 2007-12-31 2012-01-24 Symantec Corporation Tracking memory mapping to prevent packers from evading the scanning of dynamically created code
US8146151B2 (en) 2008-02-27 2012-03-27 Microsoft Corporation Safe file transmission and reputation lookup
US20140208426A1 (en) 2008-05-28 2014-07-24 Zscaler, Inc. Systems and methods for dynamic cloud-based malware behavior analysis
US20100024033A1 (en) 2008-07-23 2010-01-28 Kang Jung Min Apparatus and method for detecting obfuscated malicious web page
US8307432B1 (en) 2008-10-07 2012-11-06 Trend Micro Incorporated Generic shellcode detection
US20160099963A1 (en) 2008-10-21 2016-04-07 Lookout, Inc. Methods and systems for sharing risk responses between collections of mobile communications devices
US20110047620A1 (en) 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
US8645923B1 (en) 2008-10-31 2014-02-04 Symantec Corporation Enforcing expected control flow in program execution
US20100185876A1 (en) * 2009-01-20 2010-07-22 Kings Information & Network Keyboard-input information-security apparatus and method
US9141794B1 (en) 2009-03-10 2015-09-22 Trend Micro Incorporated Preemptive and/or reduced-intrusion malware scanning
US20100269171A1 (en) * 2009-04-20 2010-10-21 Check Point Software Technologies, Ltd. Methods for effective network-security inspection in virtualized environments
US8595829B1 (en) 2009-04-30 2013-11-26 Symantec Corporation Systems and methods for automatically blacklisting an internet domain based on the activities of an application
US8276202B1 (en) 2009-06-30 2012-09-25 Aleksandr Dubrovsky Cloud-based gateway security scanning
US20110078794A1 (en) 2009-09-30 2011-03-31 Jayaraman Manni Network-Based Binary File Extraction and Analysis for Malware Detection
US8539578B1 (en) 2010-01-14 2013-09-17 Symantec Corporation Systems and methods for defending a shellcode attack
US9202048B2 (en) 2010-01-27 2015-12-01 Mcafee, Inc. Method and system for discrete stateful behavioral analysis
US20110277033A1 (en) 2010-05-06 2011-11-10 Mcafee, Inc. Identifying Malicious Threads
US8413235B1 (en) 2010-09-10 2013-04-02 Symantec Corporation Malware detection using file heritage data
US7962959B1 (en) 2010-12-01 2011-06-14 Kaspersky Lab Zao Computer resource optimization during malware detection using antivirus cache
US8832836B2 (en) 2010-12-30 2014-09-09 Verisign, Inc. Systems and methods for malware detection and scanning
US20170329621A1 (en) 2011-02-08 2017-11-16 Pegasystems Inc. Code injection and code interception in an operating system with multiple subsystem environments
US20120266243A1 (en) 2011-04-14 2012-10-18 F-Secure Corporation Emulation for malware detection
US20140181976A1 (en) 2011-05-06 2014-06-26 The University Of North Carolina At Chapel Hill Methods, systems, and computer readable media for detecting injected machine code
US20130080625A1 (en) * 2011-09-27 2013-03-28 Fujitsu Limited Monitoring apparatus, control method, and computer-readable recording medium
US20130091584A1 (en) 2011-10-05 2013-04-11 Mcafee, Inc. Distributed System and Method for Tracking and Blocking Malicious Internet Hosts
US20160098560A1 (en) 2012-07-13 2016-04-07 Cisco Technology, Inc. Method and apparatus for retroactively detecting malicious or otherwise undesirable software as well as clean software through intelligent rescanning
US9990497B2 (en) 2012-11-06 2018-06-05 Forensic Scan, LLC Method to scan a forensic image of a computer system with multiple malicious code detection engines simultaneously from a master control point
US8910238B2 (en) 2012-11-13 2014-12-09 Bitdefender IPR Management Ltd. Hypervisor-based enterprise endpoint protection
US20140215621A1 (en) 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security
US9355247B1 (en) 2013-03-13 2016-05-31 Fireeye, Inc. File extraction from memory dump for malicious content analysis
US9411953B1 (en) 2013-05-24 2016-08-09 Symantec Corporation Tracking injected threads to remediate malware
US20150089651A1 (en) 2013-07-15 2015-03-26 Eset, Spol. S R.O. Methods of detection of software exploitation
US20150096018A1 (en) 2013-09-27 2015-04-02 Bitdefender IPR Management Ltd. Systems and Methods for Using a Reputation Indicator to Facilitate Malware Scanning
US20150096022A1 (en) 2013-09-30 2015-04-02 Michael Vincent Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US20150227742A1 (en) 2014-02-12 2015-08-13 Symantec Corporation Systems and methods for scanning packed programs in response to detecting suspicious behaviors
US9836604B2 (en) 2015-01-30 2017-12-05 International Business Machines Corporation File integrity preservation
US9516055B1 (en) 2015-05-29 2016-12-06 Trend Micro Incorporated Automatic malware signature extraction from runtime information
US20160357958A1 (en) 2015-06-08 2016-12-08 Michael Guidry Computer System Security
US20160378640A1 (en) 2015-06-26 2016-12-29 AVAST Software s.r.o. Dynamic binary translation and instrumentation with postponed attachment to running native threads
US10210329B1 (en) 2015-09-30 2019-02-19 Fireeye, Inc. Method to detect application execution hijacking using memory protection
US20170171240A1 (en) 2015-12-09 2017-06-15 Check Point Software Technologies Ltd. Method and system for identifying uncorrelated suspicious events during an attack
US20170289176A1 (en) * 2016-03-31 2017-10-05 International Business Machines Corporation Internet of things security appliance
US20180018459A1 (en) 2016-07-15 2018-01-18 Trustlook Inc. Notification of Maliciousness Categorization of Application Programs for Mobile Devices
US20180052720A1 (en) 2016-08-18 2018-02-22 Crowdstrike, Inc. Tracing System Operations Across Remote Procedure Linkages to Identify Request Originators
GB2553033A (en) 2017-06-29 2018-02-21 F Secure Corp Protection from malicious and/or harmful content in cloud-based service scenarios
US20190052651A1 (en) 2017-08-08 2019-02-14 Sonicwall Inc. Real-time prevention of malicious content via dynamic analysis
WO2019032702A1 (en) 2017-08-08 2019-02-14 Sonicwall Inc. Real-time prevention of malicious content via dynamic analysis
US10873589B2 (en) 2017-08-08 2020-12-22 Sonicwall Inc. Real-time prevention of malicious content via dynamic analysis
US20210185062A1 (en) 2017-08-08 2021-06-17 Sonicwall Inc. Real-time prevention of malicious content via dynamic analysis
US20190065740A1 (en) 2017-08-29 2019-02-28 Red Hat, Inc. Generation of a random value for a child process
US20190114421A1 (en) 2017-10-13 2019-04-18 Sonicwall Inc. Just in time memory analysis for malware detection
WO2019075388A1 (en) 2017-10-13 2019-04-18 Sonicwall Inc. Just in time memory analysis for malware detection
US20220035919A1 (en) 2017-10-13 2022-02-03 Sonicwall Inc. Just in time memory analysis for malware detection
US11151252B2 (en) 2017-10-13 2021-10-19 Sonicwall Inc. Just in time memory analysis for malware detection
US20200380127A1 (en) 2017-12-29 2020-12-03 Sonicwall Inc. Detection of exploitative program code
US10685110B2 (en) 2017-12-29 2020-06-16 Sonicwall Inc. Detection of exploitative program code
EP3732571A1 (en) 2017-12-29 2020-11-04 SonicWall Inc. Detection of exploitative program code
US20190205537A1 (en) 2017-12-29 2019-07-04 Sonicwall Inc. Detection of exploitative program code
WO2019133637A1 (en) 2017-12-29 2019-07-04 Sonicwall Inc. Detection of exploitative program code
US10902122B2 (en) 2018-01-31 2021-01-26 Sonicwall Inc. Just in time memory analysis for malware detection
US20190236275A1 (en) 2018-01-31 2019-08-01 Sonicwall Inc. Just in time memory analysis for malware detection
US20190342313A1 (en) 2018-05-03 2019-11-07 Sophos Limited Method for conditionally hooking endpoint processes with a security agent
WO2019222261A1 (en) 2018-05-14 2019-11-21 Sonicwall Inc. Cloud based just in time memory analysis for malware detection
US20190347413A1 (en) 2018-05-14 2019-11-14 Sonicwall Inc. Cloud based just in time memory analysis for malware detection
US11232201B2 (en) 2018-05-14 2022-01-25 Sonicwall Inc. Cloud based just in time memory analysis for malware detection
US20220222343A1 (en) 2018-05-14 2022-07-14 Sonicwall Inc. Cloud based just in time memory analysis for malware detection
US20190354680A1 (en) 2018-05-21 2019-11-21 International Business Machines Corporation Identifying malicious executing code of an enclave

Non-Patent Citations (31)

* Cited by examiner, † Cited by third party
Title
"XOR Cipher—Wikipedia", Mar. 19, 2017, XP055758581, Retrieved from the Internet: URL:https://en.wikipedia.org/w/index.php?title=XOR_cipher&oldid=771112755 [retrieved on Dec. 9, 2020].
European Application No. 18844091.1 Extended European Search Report dated Jan. 19, 2021.
European Application No. 18894474.8 Extended European Search Report dated Aug. 3, 2021.
Nethercote, Nicholas; "Dynamic binary analysis and instrumentation", Technical Report, UCAM-CL-TR-606, ISSN 1476-2986, Nov. 2004.
Parsons, Christopher; Chapter One: Deep Packet Inspection and its Predecessors, Feb. 6, 2012 :: Version 3.5.
PCT Application No. PCT/US2018/045814 International Preliminary Report on Patentability dated Feb. 11, 20; 8 pages.
PCT Application No. PCT/US2018/045814 International Search Report and Written Opinion dated Oct. 19, 2018; 9 pages.
PCT Application No. PCT/US2018/055694 International Preliminary Report on Patentability dated Apr. 14, 2020; 7 pages.
PCT Application No. PCT/US2018/055694 International Search Report and Written Opinion dated Feb. 11, 2019; 8 pages.
PCT Application No. PCT/US2018/067541 International Preliminary Report on Patentability dated Jun. 30, 2020; 7 pages.
PCT Application No. PCT/US2018/067541 International Search Report and Written Opinion dated Mar. 27, 2019; 7 pages.
PCT Application No. PCT/US2019/032283 International Preliminary Report on Patentability dated Nov. 17, 2020; 9 pages.
PCT Application No. PCT/US2019/032283 International Search Report and Written Opinion dated Sep. 12, 2019; 10 pages.
Software Instrumentation, Wiley Encyclopedia of Computer Science and Engineering, edited by Benjamin Wah. Copyright 2008 John Wiley & Sons, Inc.
U.S. Appl. No. 15/671,445 Final Office Action dated Aug. 15, 2019.
U.S. Appl. No. 15/671,445 Office Action dated Feb. 25, 2019.
U.S. Appl. No. 15/671,445 Office Action dated May 14, 2020.
U.S. Appl. No. 15/783,793 Final Office Action dated Dec. 11, 2019.
U.S. Appl. No. 15/783,793 Final Office Action dated Oct. 14, 2020.
U.S. Appl. No. 15/783,793 Office Action dated Apr. 16, 2019.
U.S. Appl. No. 15/783,793 Office Action dated Feb. 22, 2021.
U.S. Appl. No. 15/783,793 Office Action dated Jun. 28, 2019.
U.S. Appl. No. 15/858,785 Office Action dated Sep. 6, 2019.
U.S. Appl. No. 15/890,192 Final Office Action dated Jan. 21, 2020.
U.S. Appl. No. 15/890,192 Office Action dated Jun. 11, 2020.
U.S. Appl. No. 15/890,192 Office Action dated Oct. 4, 2019.
U.S. Appl. No. 16/055,958 Final Office Action dated Oct. 9, 2020.
U.S. Appl. No. 16/055,958 Office Action dated Apr. 21, 2020.
U.S. Appl. No. 16/055,958 Office Action dated Mar. 25, 2021.
U.S. Appl. No. 16/903,060 Office Action dated May 12, 2022.
U.S. Appl. No. 17/584,152, Aleksandr Dubrovsky, Cloud Based Just in Memory Analysis for Malware Detection, filed Jan. 25, 2022.

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11797677B2 (en) 2018-05-14 2023-10-24 Sonicwall Inc. Cloud based just in time memory analysis for malware detection
US20210120020A1 (en) * 2019-04-05 2021-04-22 Material Security Inc. Defanging malicious electronic files based on trusted user reporting
US11856007B2 (en) * 2019-04-05 2023-12-26 Material Security Inc. Defanging malicious electronic files based on trusted user reporting

Also Published As

Publication number Publication date
EP3665573B1 (en) 2022-12-14
ES2936860T3 (en) 2023-03-22
EP4177779A1 (en) 2023-05-10
US20230020421A1 (en) 2023-01-19
EP3665573A1 (en) 2020-06-17
EP3665573A4 (en) 2021-02-17
WO2019032702A1 (en) 2019-02-14
US20210185062A1 (en) 2021-06-17
US20190052651A1 (en) 2019-02-14
US10873589B2 (en) 2020-12-22

Similar Documents

Publication Publication Date Title
US11558405B2 (en) Real-time prevention of malicious content via dynamic analysis
US11797677B2 (en) Cloud based just in time memory analysis for malware detection
JP6224173B2 (en) Method and apparatus for dealing with malware
CN106687971B (en) Automatic code locking to reduce attack surface of software
US11550912B2 (en) Detection of exploitative program code
US20220035919A1 (en) Just in time memory analysis for malware detection
US8677493B2 (en) Dynamic cleaning for malware using cloud technology
US20210194915A1 (en) Identification of potential network vulnerability and security responses in light of real-time network risk assessment
US10902122B2 (en) Just in time memory analysis for malware detection
US20240045954A1 (en) Analysis of historical network traffic to identify network vulnerabilities
US20230007013A1 (en) Visualization tool for real-time network risk assessment
KR100985076B1 (en) Apparatus and method for protecting data in usb devices
US20230283633A1 (en) Credential input detection and threat analysis
CN117917043A (en) Credential input detection and threat analysis

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: SONICWALL INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHEETANCHERI, SENTHIL;DUBROVSKY, ALEX;HOLAGI, SACHIN;REEL/FRAME:055522/0822

Effective date: 20170807

STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE